Cybercrime: the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage (ECJ)

According to the Judgment (14.12.2023) of the Court of Justice in Case C-340/21 (Natsionalna agentsia za prihodite), the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage.

The Bulgarian National Revenue Agency (the NAP) is attached to the Bulgarian Minister for Finance. In particular, it is responsible for identifying, securing and recovering public debts. In this context, it is a personal data controller. On 15 July 2019, the media reported an intrusion into the NAP IT system, revealing that, following that cyberattack, personal data concerning millions of persons had been published on the internet. Many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be misused. 

The Bulgarian Supreme Administrative Court refers several questions to the Court of Justice for a preliminary ruling on the interpretation of the General Data Protection Regulation (GDPR) . It seeks clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals. 

In its judgment, the Court answers the questions referred as follows: 

  • In the event of unauthorised disclosure of personal data or unauthorised access to those data, courts cannot infer from this fact alone that the protective measures implemented by the controller were not appropriate. The courts must assess the appropriateness of those measures in a concrete manner. 
  • It is for the controller to prove that the protective measures implemented were appropriate. 
  • In the event that the unauthorised disclosure of personal data or unauthorised access to those data has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can prove that it is in no way responsible for that damage. 
  • The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.

(curia.europa.eu/ photo: freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

The banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)